Mark Minasi's Windows Networking Tech Page
Issue #91 September 2011

Document copyright 2011 Mark Minasi; please see below for info on subscribing, unsubscribing or copying portions of this text.

What's Inside

  • News
    • Learn with My Seminars, Audio Recordings and More!
  • Tech Section
    • What's Coming in Server 8
  • Conferences
  • To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

I am fortunate in being able to attend BUILD, Microsoft's first conference that unveils what's coming in the next version of Windows.  (Microsoft's calling it "Windows 8," but they may give it another name when they ship it.  I imagine that because if its name were Windows 8, that would immediately get abbreviated to "W8," and in no time people would notice that "W8" can be pronounced "wait" and, well, you see where that would go)  BUILD's mostly about the desktop version of Windows 8, but last week, I got to sit in on a bunch of in-depth, fast-paced, brain-melting discussions of what's coming in Server 8. 

In all honesty I expected to sit through a fairly short list of things, as it's only been about two years since Server 2008 R2 RTM-ed, and at this point Windows is so big that its very necessary change control process makes for slower innovation.  I also expected to hear a bunch of innovations  interesting only to a few big Fortune 500s.  You see, there have been a few releases of server wherein all of the "exciting new features" sounded like someone from Microsoft saying, "we discovered a problem in that when one of our DHCP servers hosts its 10,000th scope, its ESE database becomes corrupted and we're really jazzed to have fixed that," and yes, that is good news, but, ya know, there's probably only ten companies on the planet that care.  Let's be clear, they are ten companies who each pay Microsoft checks with a whole bunch of zeroes every year, so I get why the MS folks would be jazzed, but I guess I've become a bit jaded and so need some stimulation.  Still, I've been curious and so have done whatever probing and poking I can when talking to the folks that I know at Microsoft, and the mildly uninterested "yeah, we've got some stuff, we're not sure when it'll be available, the real story's the changes in the desktop version of Windows, we'll let you know when get something interesting done."

Who knew those Microsoft folks could be such poker-faced, sneaky bastards?

So in this issue, I want to try to do at least a bullet point and a few sentences of comment for each feature, but first, a word from our sponsor.

My Three-Day Server 2012/2012R2 Class is Running in California at a Great Price!

MISAC, a nonprofit group of IT pros who work in support roles for cities throughout California, have hired me to do my in-depth three-day Server 2012/2012R2 class in three cities in California. The class normally runs $1600 per student, but they're offering it to their members for $799/student. Now, I've unfortunately been too busy to put together a public seminar calendar for 2014 yet -- apologies -- so I asked them if they'd be interested in opening their enrollment to the public at large, and they kindly agreed. They're offering seats for non-MISAC members for $999, a $601 discount. The first class runs next Tuesday-Thursday (25-27 February 2014) in Petaluma, followed by a session in March at Diamond Bar (25-27 March 2014) and then in April in Encinitas (22-24 April 2014). Anyone's welcome, and you'd register with MISAC on their Web site, not me. Find out more here: http://www.misac.org/

Windows 8 Server, In Brief

As I've already said, Microsoft has gotten a lot done in a short period of time.  After sitting through two days of presentations, though, it occurred to me that there is something of a unifying thread to what initially seems a fairly wide-reaching array of new concepts and upgrades.  After a bit, however, you get that there are a few common themes, so keep these in mind as you hear about Windows 8 Server.

  • Bigger.  Windows smells more mainframe-y, more enterprise-y, more reliable-y than ever before.  Consider that the new IIS's main story is that it it can reliably and scaleably let you host tens of thousands of Web sites on a single box or two, all the while letting you be relatively certain that the owner of Web Site One can't screw with the content on Web Site Two.  (The new Microsoft word for that is "multi-tenancy."  You hear the phrase a lot when you hear about Windows 8 Server.)  Or that they had to invent a new file format for virtual hard drives (VHDs) called "VHDX" because the old one could only grow to 2 terabytes in size, and needed to be faster.
  • More reliable.  Everyone wants reliability in their IT stuff, and so software houses have invested zillions in processes to turn out software with fewer bugs, but ultimately it's redundancy that's amped up network and storage reliability in the past decade or so, and until now, that's largely meant expensive shared storage/high speed networking hardware and expensive software.  In Windows 8 server presentations, I kept seeing new approaches to the old fault tolerant/high availability needs, but this time the price point was way lower. For example, you can create a budget Live Migration-like virtual machine infrastructure with two commodity boxes and a reasonably fast Internet connection (or even a crossover cable).  In another example, you can just drop a cheap commodity NIC into a server, click around Server Manager for a bit, and you've got NIC teaming that delivers both better throughput and more reliable networking.  In yet another example, you get champagne DHCP clustering (finally!) on a beer budget.  The big wild card here is "will have to shell out $4,000 for Enterprise Server to get these features, or will the $1,000 retail Standard Server have the fun stuff?," and we won't know that for a while, because soon things will move out of the hands of the developers and into the hands of the marketing people.  And while I'm talking about what's "reliable," I should mention that one of the reliability surprises is the quality of this pre-beta code -- they're almost feature-complete and they haven't even shipped a beta.  Expect to hear a lot of vague "we're not going to ship this software until our customers tell us it's ready, we're not in a rush" to turn into "we're RTM-ing this thing in four weeks!" without much warning.
  • More manageable.  You won't be surprised that Microsoft's shipping yet another console for managing servers -- it still lacks at least one "must-have-it" check box -- but you will be surprised at how much better it's laid out, and that it clearly understands the idea that a well-thought-out 2011 network is one viewed as a set of services, not servers.  The number of PowerShell cmdlets is up to about 2300 in-the-box, and most of them can be directed at 148 servers simultaneously almost as easily as a on one server.  A version of Server Core that will make you never want to install a server with full GUI ever again, making managing a building full of headless servers not really very painful at all.

Put that all together, and you get that Windows 8 Server is essentially "cloudier," and by that I don't mean obscure, I mean "built for making clouds," whether it's their own Azure cloud or your own private cloud.  They probably should have called it "Windows Azure Foundation Server, version 1.0."  (My guess is that's exactly how all of this stuff got done in the first place -- having to make Azure work must have driven needs for innovations like this, and it must have dawned on them that it'd be crazy not to make some money on all of those Azure-derived improvements.)

Anyway, let's start a quick overview of what's in Server 8 and I'll be covering this more in-depth after I get the pre-release code to play with.

Network Management

Network management and infrastructure components are, in the words of  a Microsoft evangelist I spoke with many years ago, "just plumbing," but I've always noticed that the "just" tends to fall out of discussions when the toilets have backed up and it's Sunday morning.  Windows 8 Server incorporates a lot of new, um, plungers.  (Maybe I shouldn't have employed that particular metaphor.)

A Server Core that Scores

I have always loved the idea of Server Core, a version of Windows server without a GUI.  GUIs include things like Internet Explorer, which seems to need patching -- and rebooting -- every week or so, and that just doesn't do a thing for our quest for five-nine-ness.  What's always made the desire for a slimmed-down server frustrating is that you know, those Linux guys have a GUI that they can choose to turn off whenever they want to.  Sure, I'm a command line guy, but there's about 10 minutes a month that I'd like to have a GUI on my server.  But with 2008 and 2008 R2, you have to make a hard-and-fast choice:  full-blown flabby patch-ridden GUI server, or austere no-GUI no-Start Menu figure-out-wevtutil-while trying-to-fix-a-crisis, good-luck-with-those-HP-teamed-NICs Server Core.

With Windows 8, however, you can essentially turn the GUI on and off at will, meaning that you can be running that lean-and-mean Server Core most of the time, but when the thought of writing a 180-character PowerShell command to tweak one Web site just seems like it's too much to face, you can fire up the GUI and Server Manager your way out of trouble.

Server Manager Goes Metro and Multi

If you've managed a Server 2008 or 2008 R2 server, you know Server Manager.  In 2008 and 2008 R2, it's essentially a container into which Microsoft has placed a bunch of MMCs to control the various Server subsystems.  It's not bad, but it's not good in that controlling a remote server with Server Manager or, heaven forfend, a bunch of remote servers, is difficult or impossible.

You may know that Microsoft has a visual style that they've used at their Live site for a while called "Metro," featuring big, open san-serif fonts, a pale white background and a lot of open, white space.  They then put many of those ideas onto the Windows 7 Phone, creating something called a "tile" that's larger and more useful than an icon, but not as useful as a "main line" application like Word.  Tiles lack frames, scroll bars, minimize/maximize icons and all other "chrome" that you see in most windows.  (If that's still not clear, imagine a Windows 7 desktop with a bunch of small colored square-ish rectangles.  One shows you the current time and temperature, one scrolls tweets in its space, another rotates CNN headlines, another shows you what's happening on your Facebook wall, that sort of thing.  If that's still not clear, imagine what a "dynamic" Windows desktop would look like if it were designed by a Tourette's sufferer who was also afflicted with attention deficit disorder.  Having said that, I admit that I'm always grumpy about new user interface fluff, but soon find a few things about a new UI to which I soon become addicted.)

In any case, Microsoft rebuilt Server Manager to look Metro-ish, which seems like a good idea given that so many of us IT pros are also design freaks who've been pining for avocado- and mango-colored squares on our desktop.  Seriously, though, the neat thing about the new Server Manager is that Microsoft's thinking not just Metro, but Multi.  Want to do something -- install updates, reboot, load the DNS role -- on eight servers simultaneously?  No problem -- just grab 'em all and do it with just a few clicks.  Don't care about server-by-server things, and you think more in terms of services, as in "let me make such-and-such change on all of my DHCP servers right now?"  Server MetroMultiManager can do that.  Got a configuration on one server that you want to duplicate to a bunch of others?  No problem -- go to the "model" server and tell it to export its configuration in XML, then apply that XML file to the other servers.

It sounds great and was a lot of fun to play with, but there's a big fly in the ointment.  Multi-server management on a GUI is neat, but isolating oft-needed management tasks and automating them is far neater, and so you know what I'm going to say next.  (It starts with "P" and ends with "L" and isn't "PERL.")  So you've got some task you do a lot in the GUI and would like to write a little PowerShell script to do the equivalent of a few dozen mouse clicks?  Well, you'd think that it's 2011, and so as you click things in the new Server Manager that you'd get a little window that Server Manager would fill with the PowerShell equivalent commands, but... no.  Exchange does that.  Virtual Machine Manager does that.  Active Directory Administrative Center does that.  (Yes, you read that right.)  But Server MultiMetroMangoColoredSquaresManager doesn't do that.  Ah well.  I guess they've got to leave something for the Windows 9 Server team to do.

Windows 8 Server's (let's call it W8S from here on in) new Server Manager incorporates some very clever new concepts, and does a decent job of packing a lot of stuff into a small space.  I especially love that the Event Viewer part lets you say, "I don't care that Terminal Services is barking at me about some printer driver that I haven't got, and I hate that Terminal Services keeps telling me that... so don't ever show it to me again.  It's true -- spend ten minutes with MetroMango's Event Viewer, and you can make it far more useful than any other Event Viewer that you've worked with.  But it really needs that PowerShell command "reflection" window.

Network Upgrades

Plumbing, part two:  some new parts for the bits and pieces that keep the leg bone connected to the ankle bone.

NIC Teaming

It's been around for a while, but as hardware needing vendor-specific tools.  Now the operating system does the work.  The idea is that you have a computer with more than one NIC in it, so you plug both NICs into the switch, and two things happen.  First, Windows now knows to use the bandwidth on both NICs, improving throughput.  Second, if one of the NICs fails, things keep working.  Any two NICs can do the job -- if you've got a onboard NIC with a Broadcomm chipset and a PCI NIC with an Intel chipset, they can work just fine together.

DNSSEC Gets More Useful

If you've seen my 75-minute DNSSEC talk, you know that DNSSEC is an up-and-coming technology that many of you will want to implement on your networks, and you also know that while Microsoft implemented DNSSEC in Windows Server 2008 R2 and Windows 7, their implementation was a bit uneven.  You must sign your zone by taking it offline and running a few pretty long, ugly DNSCMD commands.  It can't validate zones that use the March 2008 RFC that introduces NSEC3, an inn0vation that most important zones are using.

With W8S, that changes.  Its new DNS does NSEC3 and can be configured to automatically sign your zones as they change.  Haven't had time to try it out but it sounds pretty good.

DHCP Gets Failover Clustering

It's true.  Real failover clustering for DHCP, and you don't have to buy a SAN or a cluster or the like.  It's got one of those Metro-ish UIs, as well.  DHCP clustering for the masses -- it's about time.

IP Address Management

A new tool that makes assigning IP static IP addresses easier, helps keep track of DHCP and DNS servers and the like.  If you're assigning static IP addresses to servers rather than managing them via DHCP reservations, give this a look.  Will do a lot of network discovery, so you might want to warn your security guys before running this.

DirectAccess in One Click

DirectAccess is an IPSec-based replacement for standard VPNs that Microsoft released with Windows Server 2008 R2.  It's interesting because it's a don't-think-about-it way to stay connected to your organization's behind-the-firewall resources, and to stay connected all the time.  Unlike other firewalls, it enables two-way communications so that even if you've just left your laptop turned on overnight while it's attached to your home network, the central IT folks can reach out and do remote administration tasks.

The only problem with DirectAccess has been that you've got to know a lot about certificates, IPSec, IPv6 and a bunch of other things in order to make it work.  Basically DirectAccess has always looked like one of those really great ideas that need a bit more thought, and apparently the networking folks at Microsoft agreed.  They showed us a wizard wherein you pretty much just click "Make DirectAccess work," and everything gets set up, even if you don't have IPv6 set up.  Again, this is one of those cases where I saw it happen, and haven't yet had time to find out more, but I'm told that it really is a switch-flip and your domain member systems are DirectAccess-ed.  More when I know it.

Active Directory Changes

AD gets some management upgrades, relieves the KMS and "can I virtualize my DCs" headaches, pumps up AD Admin Center, and, for a closing act, completely changes how we set permissions on file servers.

Remote DCPROMO

Here's an example of where the new Server Manager's remote-ness can be useful:  DCPROMO.  No more must you physically travel to the Schema Master or the Infrastructure Master -- nope, now you are the master, and that's how it should be, isn't it?

There's still a GUI way to do it, and now there's a PowerShell way to do it, so starting your own domain is just the easiest thing, or at least so I've been told.  I've not had time to play with it yet, so it'll be interesting to see if that pointless blathering about creating a DNS delegation that besmirched 2008 and 2008 R2's DCPROMO has gone away.

Virtualization-Aware Domain Controllers

Two of the coolest things that we've gotten in the past 12 years are virtualization and Active Directory, which is why it's kind of a shame that they don't entirely get along.  Basically, if you build a domain controller on a virtual machine with Windows Server 2008 R2 or earlier, then you're okay, just so long as you never restore a snapshot.  Why you shouldn't is a long story, but basically it can lead to your domain controllers getting out sync and staying out of sync, plaguing your directory service with errors called "USN bubbles" with attendant zombie-like accounts called "lingering objects."  It's a perfect recipe for a long weekend with repadmin, adsiedit and Excedrin.

If you're running a domain controller under W8S's Hyper-V virtual machine manager and that domain controller's running atop a virtual machine running W8S, then Hyper-V knows how to pass the word to the DC that the DC's gone back in time (that is, a snapshot was restored) and so the DC can make the adjustments necessary to keep the domain zombie-proof.  (To my directory services expert brethren and sistren:  I know that "zombie object" means something different in AD, but "lingering object" explains things so much easier.)

That's very nice, but Microsoft's taken it a bit further by enabling simple DC cloning.  The idea is that you get a DC the way you like it and then, if you have the permissions, you can set up the DC's VHD files so that you can make the virtual DC clone-able.  What's that good for?  Well, if you want to set up a test network that looks like your real network, then having a functioning and up-to-date DC is a fast way to get started.  In another situation, you could rebuild a destroyed domain using a DC clone as a starting point.

AD Admin Center Gets Upgrades, AD Users and Computers Stops Growing

Server 2008 R2 brought us the Active Directory Administrative Center (ADAC), a PowerShell-based application with a friendly GUI wrapped around it.  Designed as sort of a way to reimagine AD Users and Computers, it's a bit quirky but was built to be task-oriented.  For example, when you start R2's ADAC, the first thing that it offers is a quick and easy UI to find a user's account and reset the account's password, which is probably the most common AD-related task for most networks.  R2's ADAC's user creation task offers a wizard that touches on far more of a user's account attributes than ADUC's wizard does.  ADAC could not, however, do everything that ADUC could, as it wouldn't let you change domain functional levels, shift FSMO roles and other things.

In Server 8, ADAC gets several kinds of improvements:

  • It's now got feature parity with ADUC.  As far as I can see, anything that ADUC can do, ADAC can also do.  There is one large exception to that, however:  third-party extensions to ADUC and as far as I can see, none of them work on ADAC.  That is why Microsoft's leaving ADUC in Server, but they're not adding any features to it from this point on.
  • ADAC has now acquired a GUI interface for the AD Recycle Bin that appeared in Server 2008 R2, and for the fine-grained password policies that appeared in Server 2008.
  • Again, ADAC is really a PowerShell-based administration tool; when you click a button in its GUI, ADAC generates and executes one or more PowerShell commands under the hood.  With Server 8's Active Directory, ADAC has a window wherein it prints the PowerShell commands that it last issued.  You can cut and paste those commands, meaning that using ADAC can, in passing, help make you a PowerShell expert and can help get you on the road to writing PowerShell scripts.  (Have I mentioned that W8S's Server Manager really needs a feature like that?)

Dynamic Access Control (DAC)

In short, a completely new way to create file permissions, going way beyond our current system of allowing or denying access to a file/folder solely through user's group memberships.

Currently we control access to files, folders and shares via "permissions," a "discretionary access control list" (DACL or, more commonly, an "ACL") lets us say things like "X person can read this file," "Y group is denied the ability to write this file," and the like.  To do file/folder permissions, you essentially must create groups and then go to each folder and tell the folder what those groups can and cannot do.  While this works, it tends to lead to a world wherein large companies actually have more groups than they have users, as folks who've adopted what is called "role-based access control" tend to have to (I'm simplying) create several groups for each folder.

Compliance requirements have put more pressure on the IT folks who are supposed to be able to say things like "only doctors can access the MRI photos,"as someone's got to identify which users are doctors and which images are MRIs.  Yes, putting the doctors in a group called "doctors" and the MRI images into a folder named "MRI images" can do the trick in that simple case, but what if we want to classify the MRI images by what they're images of?  A file system with images\kidneys and images\spine leads to the problem of where an image of a spine and a kidney goes, and similarly there are lots of different kinds of doctors.  In short, what might be called the "container model" is limited and gets downright cumbersome pretty quickly.  Furthermore, it leads to a profusion of groups, and too many groups gives Kerberos heartburn, leading to something called "token bloat" that can (and has, in the case of some large companies) make logons fail.

So what's a better way?  Well, instead of building groups and folders, we can tag user accounts with AD attributes.  Most folks don't use them, but every AD user ever created has space in its AD object for a title.  Every file on an NTFS volume can be tagged with keywords.  Furthermore, AD machine objects have attributes as well.  So it'd be kind of neat to be able to say,

MRI image files (as defined by a tag on the file's or its folder) can only be accessed by doctors (as identified by an AD attribute where "title" equals "physician" or the like) and that doctor can't be looking at it from home -- she's got to be sitting at a secure workstation (which we identify by the value in the "physicalofficedeliveryname" attribute equalling "secure location").

That's called "dynamic access control" or "content-based access control" (or a very simple example of it -- DAC opens the doors to being able to create some very powerful and compliance-auditor-satisfying rules) and it's part of any Windows network with at least one Windows 8 domain controller (DC) and at least one Windows 8 file server.  The old permissions still work, but now Windows makes use of file tags (which have been around since Windows 2000 but are largely unused) and the literally dozens of attributes on AD objects (which have been around since Windows 2000 but are largely unused).  Another neat part of CBAC is that not only can you still create permissions based on groups as we've done for years, you can also create permissions based on more than one group, conjoined by AND or OR.  ("If you're in group A or group B, you get access.")  Again, you can also get to this with a fairly small investment, as your domain does not have to be in "W8S domain functional level" or the like.  Yes, there's a schema update before you an install your first W8S DC, but that's always the case with new versions of Server.

A reasonable question at this point is, "who's going to do all of that tagging?" Who puts "doctor" into a user account's title?  Who marks a particular JPEG as an MRI?  When it comes to tagging people's AD accounts, the answer seems to be that Windows has ADAC, and that ADAC lets you populate AD attributes.  Microsoft says that the goal is for a job like saying "title equals doctor" is HR's job, and if you're an AD expert then you already know that AD includes permissions that will let us say who gets to modify AD attributes for a particular user.  File tagging's always had something of a dodgy UI, but on the Permissions tab of a file or folder object, there's now a "Classification" tab that allows modifying particular file tags.  But W8S file servers have a nice feature to let you automatically classify files:  regular expressions.  The Microsoft folks did a demonstration wherein they had a folder that scanned the files in it and, if it found a numeric string that looked like a credit card, then it would mark the file as "sensitive," which allowed a DAC policy rule to restrict further who could access it.  (In my MRI example, I imagine that MRI machines populate an area in JPEG images called "EXIF" date that identify the image as an MRI, and perhaps a regular expression could be written that exploits that information.)

I suspect that this will ultimately turn out to be a Top Five Windows 8 Server feature.  I'll post more as I learn more.

AD-Based Activation

Do you hate dealing with Windows Activation and Key Management Servers (KMS)?  Yup, everyone does.  So now when you join AD, AD handles the activation and key management.  Haven't actually seen it yet and I don't have access to the hardware I'd need to do any testing on it, but the idea seems to make some amazing sense.

Virtualization Changes

Super Cheap Hyper-V Replication

You may have heard of this one already, as Microsoft demonstrated it at a conference earlier this spring/summer.

So you've got an important VM running on your Hyper-V server named "HV1" and would like to do some fault tolerance, but don't want to have to buy the hardware for a Cluster Shared Volume (CSV), with its need of shared storage and the like.  No problem -- just set up another Hyper-V system (call it HV2) and tell HV1, "replicate that important VM to HV2."  Of course you can do that with a PowerShell one-liner, so if you want to kick off that replication every, say, five minutes, you could, and if HV1 goes down, you can just type a command or fire up the Hyper-V Manager console and start up the one on HV2.  (Oops, sorry, I meant to "failover the VM.")

What's nicer is that HV1 and HV2 could just be cheap commodity hardware.  Heck, they could be running on SATA drives, if we were really strapped for cash.  Furthermore, the connection could be a simple one gigabit Ethernet link, or a moderately fast Internet connection, as Hyper-V's smart enough to only replicate the changes to the virtual machine's VHD files when updating a replica.  (You can choose to create the original replica not over the Internet but instead by copying it from a portable drive of some kind, getting the whole process rolling more quickly.)  Sure, running it on a shared cluster's a better answer, but this one's a lot cheaper and will be a perfectly acceptable answer for many small and medium outfits, or low-importance projects in larger organizations.

Note that what I would like to add is something like "... and you don't need Enterprise Edition to do that," but apparently the decisions about what Standard Edition can and can't do is still up in the air.  I hope Microsoft doesn't try to force us all to Enterprise to get any of W8S's best new features.

Hyper-V on a File Server

Similar to the previous scenario, let's say that I have two Hyper-V boxes and, again, I'd like some kind of fault tolerance for a particularly important virtual machine.  The standard scenario is, again, to set up some sort of shared storage (oh, sorry, I misspelled that, I meant $hared $torage) upon which I keep the VHD files that the important virtual machine is made of.  The idea is that if the server running the Hyper-V virtual machine manager dies, the file that essentially is the virtual machine is sitting safely on a different box, and so can be easily grabbed and revivified by a different server running Hyper-V.  With W8S, I can just drop the important VMs VHDs onto a simple Windows file server using Microsoft's update of their 42-year-old file server protocol, SMB 2.2, and point both Hyper-V boxes at the shared file on the file server.  This wouldn't have worked reliably on a pre-W8S file server, as trying to fail over the VHDs from one Hyper-V system to another via a file share would, I am told, have almost certainly corrupted the VHD, ruining the virtual machine.

(Apparently it was a bad idea to put a SQL database on file share, but that too is now kosher with W8S.)

Bigger Hyper-V Specs

I'm not a Hyper-V techie so I don't know if this is truly impressive, but apparently W8S Hyper-V hosts can now use up to 160 cores and may support more by RTM.  The Hyper-V hosts can use up to 2 TB of RAM.  Virtual machines on Hyper-V can have up to 32 virtual processors and 512 GB of RAM.  There's a new version of Microsoft's virtual hard drive (VHD) files called VHDX and is intended to both run faster, as it avoids data alignment problems and can exceed 2 TB in size, which apparently VHDs can't.  (I've built plenty of VHDs, but none that large.)  It incorporates large block sizes, which helps with faster data transfer.

Large virtual systems that incorporate those expensive-but-useful shared storage clusters can now, after installing W8S-based Hyper-V servers, support 4,000 virtual machines per cluster ("scale up"), and clusters can now incorporate up to 63 nodes ("scale out").  Again, I don't build ginormous Hyper-V data centers, but I get the impression that those numbers are calibrated to induce incontinence amongst VMWare ESX sales people.  (It's kind of like watching Top Gear and hearing Jeremy Clarkson talk about how some astoundingly expensive car produces 615 brake horsepower.  I have trouble understanding that, as I drive a car that gets 67 MPG with an engine that only produces about 615 mousepower.)

Storage Upgrades

In terms of new-feature-count, I think the storage folks might have taken the top spot.

The Humble File Server Gets Faster and More Reliable

I just mentioned that Hyper-V lets you run VMs from VHDs stored on a file server, so long as the file server is running Windows 8 Server's new SMB version 2.2, and speaking of SMB, it gets some nice upgrades.

  • Cluster Shared Volume support: the new-to-R2 CSVs are neat, but they were only built to provide reliable shared storage of VHDs for virtual machines.  With W8S, CSVs can provide the basis of reliable file shares.  What's sort of clever is now the volume shadow data on each server gets swapped with the other, allowing the cluster to quite efficiently only send the changes to the shares between the partners.  I'm told that a failover of a file server on a standard Microsoft cluster could take 25 seconds, but CSV clusters take only a second or two.
  • RDMA support for brain-melting speed: Windows now supports a class of NICs called "RDMA" NICs natively for SMB.  RDMA NICs are interesting because they're essentially 30 gigabit/second null modem cables, and generally do offloads, which means that while you're whacking all those bits around, you're not loading your CPU very much at all.  (I simplified things a bit there, but the basic ideas are right.)  SMB understands it now, which is interesting because RDMA doesn't run the IP protocol.  The result is that with a couple of W8S file servers you could possibly transfer a terabyte or two across the room more quickly than you could by unbolting the hard disk from one server, walking it across the room and popping it into the other server.  Microsoft calls it "SMB2 Direct."
  • File servers use bandwidth aggregation.  Put five ten gigabit NICs into each of two servers, do a NET USE and start a ROBOCOPY, and you might even get a faster file transfer than that RDMA thing would offer.  (As always, you'll get a somewhat better file transfer rate if you put the sender on a higher rack so the data goes downhill.)  Also, this aggregation is dynamic, so if you're doing a transfer and it's not fast enough, just pop in a couple more NICs and it'll get faster in just a few seconds.  (This assumes, of course, that you have servers that support hot-plug PCI.)

Disk De-Duping:  Single Instance Store, 2011 Style

Remember Single Instance Store in Windows 2000 Server?  "De-duplication" (that seems to be its real name) is the same idea, better implementation.  Many disks contain files with a lot of redundancy when compared to other files on the disk, and that means wasted space.  To offer a very simple example, suppose you have some kind of storage containing a few hundred VHD files.  Those files are probably operating system images for virtual servers, and every copy of Windows contains several gigabytes of the same files -- notepad.exe on Datacenter Server is the same file as the one you find in Windows Starter Edition.  De-duping works by scanning files looking for chunks in that file that match chunks in another file, and removing the identical chunks.  In my Notepad example, that means that I'd find, say, 50 VHD files on some Hyper-V server, each of which represents a C: drive on a virtual server.  They all contain an identical copy of notepad.exe on them, so in effect I delete the notepad.exe from 49 of the VHDs and replace it with a pointer to the copy of notepad.exe in the one VHD that still has Notepad in it.

That's a short description, but it goes further.  First of all, my example involved one duplicate file, but de-duping can go lower and notice identical "chunks" of a file.  If, for example, the only difference between the different copies of Notepad were their copyright date, de-duping could still save space by de-duping some number of sectors within Notepad.

Finally, de-duping applies not only to disk space but to networking.  If I'm copying a huge bunch of files from a Windows 8 system to another Windows 8 system, the network stack does de-duping as well.  Grab a bunch of VHDs and copy them across the network and it only takes a bit longer than copying just one of them would.

Improved Branch Cache

BranchCache is a nice technology but I always thought that Microsoft was pitching it wrong, and apparently they're of the same opinion.  They're recommending it in the central office as well as branches and have improved its throughput with -- I'm hoping this will not be a surprise by now -- de-duping.

Storage Spaces and Storage Pools

I'm running out of time and will cover this later, but in brief, what we think of as all of the Disk Manager stuff becomes "Storage Spaces."  Within that, all of the software RAID stuff has been enhanced by the notion of "storage pools," a tool that blends multiple hard disks into one logical unit, providing fault tolerance ("resiliency" is the Microsoft word here) and higher performance.  Basically it's Microsoft's latest step in their "direct access storage is okay" trend.  Again, some nifty stuff here that I'll cover in the future.

Offline Data Transfer

Imagine you're transferring data from VM1 to VM2 across the network.  But, under the hood, the fact is that VM1 and VM2 are hosted on Hyper-V servers that share the same storage, meaning that VM1 and VM2 actually live on the same SAN/cluster/whatever, and so the source location and destination location actually exist on the same SAN.  ODX simply notices that and just shuffles the data from one side of the SAN to another.

CHKDSK is Much Quicker

Short item but a crowd-pleaser.  Quick, now, tell the truth:  how many of you dread the idea of running CHKDSK on a server?  Well, now it works in two passes.  First, it scans the disk looking for troubled sectors, and that can run while the server's up and running.  Some fixes can be applied right on the spot, but others require a reboot or at least a dismount of the volume that contains the troubled areas.  Thus, you can keep your server running while CHKDSK scans your disk for hours, and then you can try CHKDSK with the new /spotfix option, which may allow CHKDSK to do its repairs without rebooting your server.  If, however, /spotfix can't do the job, then you will have to reboot your server, but it'll be a quick reboot.

That's not all of what's new in Server 8, nor is it the most important -- it's just the concepts that I've had time to write down.  I'll have a followup ready soon.  Meanwhile, feel free to drop me a line with questions or comments at help@minasi.com, and apologies for whatever I got wrong -- again, this is new stuff, and it'll take some time to try it all out and sort it all out. (And by the way, my thanks to Elisa, Paul and Guido for pointing out a couple of errors.  Much appreciated, guys!)

Upcoming Conferences

TechEd Houston May 2014 is my only conference on the schedule at the moment. I'm doing an on-stage conversation with Mark Russinovich about his Azure cloud experiences. I'm also doing "Modern Apps for IT Pros," a look inside those tablet-y "Metro" apps. If you're coming to TechEd I hope you'll stop by.

TechMentor: by the way, I won't be there, as they didn't like my proposed talks on clusters, ADFS, modern apps, or PowerShell, explaining to me that none of them were "really enterprise topics." Ah well. Another year, perhaps.

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2011 Mark Minasi.  I encourage you to quote this material, SO LONG as you include this entire document; thanks.